From owner-freebsd-net@FreeBSD.ORG Fri Dec 3 14:39:27 2004 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A59A516A4CE; Fri, 3 Dec 2004 14:39:27 +0000 (GMT) Received: from ss.eunet.cz (ss.eunet.cz [193.85.228.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB79B43D41; Fri, 3 Dec 2004 14:39:26 +0000 (GMT) (envelope-from mime@traveller.cz) Received: from [127.0.0.1] (ss.eunet.cz. [193.85.228.13]) by ss.eunet.cz (8.13.1/8.13.1) with ESMTP id iB3EdQvL030002; Fri, 3 Dec 2004 15:39:26 +0100 (CET) (envelope-from mime@traveller.cz) Message-ID: <41B07A9C.6070803@traveller.cz> Date: Fri, 03 Dec 2004 15:39:24 +0100 From: Michal Mertl User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; cs-CZ; rv:1.7.3) Gecko/20041117 X-Accept-Language: cs, en-us, en MIME-Version: 1.0 To: gnn@freebsd.org Content-Type: multipart/mixed; boundary="------------040604000403040206080404" cc: freebsd-net@freebsd.org cc: Andre Oppermann Subject: Re: New Networking Project... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Dec 2004 14:39:27 -0000 This is a multi-part message in MIME format. --------------040604000403040206080404 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I looked at the project page and noticed one thing I found code for. Task: Rework code in FreeBSD's ip_icmp.c such that ICMP responses for forwarding can be throttled also. Call badport_bandlim() before icmp_error()? Andres Oppermann wrote simple patch for it and posted it on net@ on January 2004. His (updated) patch attached. Sorry Andre for speaking on your behalf but I was afraid your work might get lost. -- Michal Mertl --------------040604000403040206080404 Content-Type: text/plain; name="icmp-unr-host.3.diff" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="icmp-unr-host.3.diff" Index: icmp_var.h =================================================================== RCS file: /home/fcvs/cvs/src/sys/netinet/icmp_var.h,v retrieving revision 1.24 diff -u -r1.24 icmp_var.h --- icmp_var.h 16 Aug 2004 18:32:07 -0000 1.24 +++ icmp_var.h 3 Dec 2004 14:31:08 -0000 @@ -78,11 +78,12 @@ extern int badport_bandlim(int); #define BANDLIM_UNLIMITED -1 #define BANDLIM_ICMP_UNREACH 0 -#define BANDLIM_ICMP_ECHO 1 -#define BANDLIM_ICMP_TSTAMP 2 -#define BANDLIM_RST_CLOSEDPORT 3 /* No connection, and no listeners */ -#define BANDLIM_RST_OPENPORT 4 /* No connection, listener */ -#define BANDLIM_MAX 4 +#define BANDLIM_ICMP_UNREACH_HOST 1 +#define BANDLIM_ICMP_ECHO 2 +#define BANDLIM_ICMP_TSTAMP 3 +#define BANDLIM_RST_CLOSEDPORT 4 /* No connection, and no listeners */ +#define BANDLIM_RST_OPENPORT 5 /* No connection, listener */ +#define BANDLIM_MAX 5 #endif #endif Index: ip_icmp.c =================================================================== RCS file: /home/fcvs/cvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.97 diff -u -r1.97 ip_icmp.c --- ip_icmp.c 15 Sep 2004 20:13:26 -0000 1.97 +++ ip_icmp.c 3 Dec 2004 14:31:08 -0000 @@ -172,6 +172,18 @@ if (n->m_flags & (M_BCAST|M_MCAST)) goto freeit; /* + * Limit sending of ICMP host unreachable messages. + * If we are acting as a router and someone is doing a sweep + * scan (eg. nmap and/or numerous windows worms) for destinations + * we are the gateway for but are not reachable (ie. a /24 on a + * interface and only a couple of hosts on the ethernet) we would + * generate a storm of ICMP host unreachable messages. + */ + if (type == ICMP_UNREACH && code == ICMP_UNREACH_HOST) { + if (badport_bandlim(BANDLIM_ICMP_UNREACH_HOST) < 0) + goto freeit; + } + /* * First, formulate icmp message */ m = m_gethdr(M_DONTWAIT, MT_HEADER); @@ -893,7 +905,8 @@ struct timeval lasttime; int curpps; } rates[BANDLIM_MAX+1] = { - { "icmp unreach response" }, + { "icmp unreach port response" }, + { "icmp unreach host response" }, { "icmp ping response" }, { "icmp tstamp response" }, { "closed port RST response" }, --------------040604000403040206080404--